Using Internet on public computers

This is a discussion on Using Internet on public computers within the A Brief History of Cprogramming.com forums, part of the Community Boards category; How to make sure they don't have spyware and keyloggers to steal info?...

The owners of the computers do have the right to monitor their systems. That being said I highly doubt they have purposely put keyloggers and spyware on their systems. They probably do have spyware just because lots of people browse the net ignorant of the threats and expose the system to them.

I would not purchase anything or expose any of my passwords on a public system. Most cases you probably would be safe but I feel it's just not wise to do.

The answer is generally as simple as not sending personal information over an insecure network. While I understand that's not always a simple option for most people, it's generally the best option if you want to make sure nobody is messing with your data. Even if the owner of the network was a good person, you have to consider that they aren't so technically savvy that they secure their network from malicious users finding a way to sniff all the packets sent through the network from any of the hubs.

To put it bluntly, if you want to pay your bills, do it through the mail. If you want to purchase something, use Paypal. Otherwise, find a way to get yourself on a secure, private network.

Well, one way to "trick" keylogger is to have for example a text editor open; if you want to enter a sensitive information, you begin by typing some letters, then you switch to the text editor (using the mouse, not something like Alt+Tab, just to be sure), type a couple of "random" letters there, switch back and continue entering your sensitive information, than go back to the text editor, etc. It's long and painful, but if well done it could make finding the "sensitive information" more difficult. Of course, it's not bulletproof. Especially if the keylogger is "application/window specific" (do they exist?), i.e. it doesn't log all the entered keys in the same file.

It's probably one of those situations for which the solution is not facing the problem.

If there is a security concern and you can't look at the processes list or someone with admin rights can't or refuses to show it to you, they are essentially providing a bad service. And the best option is to not use their service and find someone else who can address your rightful concerns.

I think abh1shek meant that how he can be sure the public computer isn't infected with a keylogger by some previous user of that computer. And I guess most keyloggers don't show themselves in the process list (as a DLL perharps). This way we can leave out hardware keyloggers and network monitoring.

Even then, you will still be vulnerable to a hardware keylogger wired into the keyboard itself. Use your own "charmap" with a mangled keyboard layout to type in words using mouse clicks should make life more interesting for any snoop.

I'm guessing most keyloggers are looking at the software messages which go along with keyboard events, not the low level keyboard driver. This approach would be simpler to implement and require fewer permissions as far as sneaking itself onto the system. On screen keyboards work by triggering software key events, so every time you click a character, it gets sent as a key event, and is logged as a keypress, although not being from the keyboard.

Salem was suggesting a bootable OS on a pen drive or a CD. Such an OS would not be vulnerable to software loggers on the existing system, just to hardware loggers. A virtual keyboard as he suggested would make things harder for hardware loggers, which is the only thing you'd have to worry about. (Assuming your own system doesn't get infected, but that would be an issue with any computer system, including your own.)

Well, one way to "trick" keylogger is to have for example a text editor open; if you want to enter a sensitive information, you begin by typing some letters, then you switch to the text editor (using the mouse, not something like Alt+Tab, just to be sure), type a couple of "random" letters there, switch back and continue entering your sensitive information, than go back to the text editor, etc. It's long and painful, but if well done it could make finding the "sensitive information" more difficult. Of course, it's not bulletproof. Especially if the keylogger is "application/window specific" (do they exist?), i.e. it doesn't log all the entered keys in the same file.

My favorite trick: type a password or something with, say, three extra characters in the middle. Select the extra characters with the mouse, and delete them (with right-click -> delete if you want to).

About the only way to detect this would be to save a screenshot of the screen just before you typed your password, so that you could see the position of the textbox you were typing in. Coupled with the position of the mouse as it performed the selection, you could then determine how many characters were deleted.

(Note that it would probably be best if you selected the textbox to type your password in with the tab key rather than with a mouse click, which might give some clue . . . .)

Of course, there may be other ways to figure out what happened, I just can't think of any at the moment.

And anyway, this still isn't very good security. If an attacker knows that "pas4nmsword" is your password with just a few extra characters, then figuring it out would be significantly easier than brute force.

It would probably be best to type a few fake passwords first and delete them with the mouse, and to choose a password that is reasonably hard to spot in a key log. (For example, "somethingthecatdraggedin" would be better than "43Nfkj556Mdfjk4jl". Perhaps.)

But I'm rambling on here about something that is quite useless. If you're concerned about security, get your own operating system. It's about the only way you can be certain about things.

"Simplicity does not precede complexity, but follows it." -- Alan Perlis
"Testing can only prove the presence of bugs, not their absence." -- Edsger Dijkstra
"The only real mistake is the one from which we learn nothing." -- John Powell

Having a password such as 43Nfkj556Mdfjk4jl will also make a possible attacker simply disregard the password as nonsense, since it is unlikely you would have such a password.
Although if it stands out among the rest of the logged information, the hacker might become suspicious.